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Examples of Lattices in Computer Security Models 
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Formal models of secure computer systems use the algebraic concept of a lattice 
to describe certain components of the system. In this note three examples are 
presented: the space of security values in the Bell-LaPadula model , the space of 
multi-level objects , and Dorothy Denning’s information flow model. 



I. USE OF A LATTICE IN THE BELL-LAPADULA MODEL 

In this note we point out several important notions in the area of computer 
security which constitute examples of the mathematical concept of a lattice. 
Perhaps the best known use of a lattice appears in the Bell-LaPadula model for a 
secure computer system as described in [ 1 ]. Let L denote the set of all security 
values that may be assigned to sensitive information to be handled within the 
system. It is important to be able to give precise meaning to the notion of one 
security value being superior to or "dominating” another security value. To 
accomplish this, Bell and LaPadula define L to be 

L = CXPK 

where C is a finite simply ordered set and PK is the power set of another finite set 
K. The members of the set 



C = Ci > C2 > . - - > C n 

are the familiar designators C\ = TOP SECRET; . . . ; C n = UNCLASSIFIED. 
The set K consists of all the additional constraints which are placed on the 
dissemination of information such as codewords, special clearances, etc. Thus, a 
security value € is of the form 



€ = Ci,k 



where 1 ^ i ^ n and k C K. If Z\ = C El , k\ and €2 = k2, then Z\ "dominates” Z 2 

denoted by 



Z\ » Z 2 



if and only if 



i\ ^ 12 and k\ D &2 
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It is easy to see that the relation » is reflexive, antisymmetric, and transitive; 
consequently, L is a partially ordered set. The least upper bound of and £ 2 is 



Uib« lf « a >=c A a 

3 

where 13 = min (i 1, £2) and ks — k\ U k 2. Similarly, the greatest lower bound of 
and (2 is 



glb(f 1 , € 2 ) =C k 4 
4 

where 14 = max (ij, 12) an d = k\ fl ^2- The universal upper bound is (C 1, K) 
while the universal lower bound is ( C Hf 0 ). Hence, L is a lattice. For the case n = 
2 and K = 1 , 2 , 3 the lattice L is described by the following diagram: 




Fig. 1. 



II. THE MULTI-LEVEL OBJECT MODEL AS A LATTICE 

The units of information in the Bell-LaPadula model are termed objects and 
each object o is assigned a security value f Q (0) which lies in L. A generalization is 
the case where objects are themselves collections of other information units whose 
security values differ, the multi-level object model. An example is a filing cabinet 
housing a collection of classified technical papers. The cabinet itself can be 
viewed as a collection of drawers; each drawer can be viewed as a collection of 
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folders while each folder is a set of classified papers whose security values 
constitute a subset of L. The model for the family of objects is a hierarchy as 
defined in [2], Formally, a hierarchy is a collection of sets 



H = {Si,o£ i^n} 



where S 0 D Sj for 1 2s i 2= n and if Si H Sj & 0, then either Si D Sj or Sj D Si for all 
1 S Clearly, the hierarchy H is a subset of PS 0 , the power set of S 0 . It 

is well known that PS 0 is a lattice where the partial ordering relation is 
"contains”; hence H is a partially ordered set. If we annex the null set to H, the 
enlarged set H* is a lattice. The diagram of if is a tree (no cycles) as is shown in 
the following example: 

Suppose S 0 is a set of 10 elements denoted by the integers 1, . . . ,10. Let 

the sets Sj be defined as follows: 

51 = (1,3,5) S 4 = (1,5) 

5 2 = (2,4,6) S 5 = (3) 

5 3 = (7,8,9,10) S 6 = (2,6) 



5 7 = (8,9,10) 

5 8 = (8,9) 

5 9 = ( 8 ) 

Sio = (9) 



The diagram representing H is 



So 





Fig. 2 

The set of objects in the Bell-LaPadula model can be represented by a hierarchy: 
the set S 0 is the set of all objects while each set Si contains one and only one object. 
The diagram is the trivial tree 
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iii. DENNING’S SECURE INFORMATION FLOWMODEL LATTICE 

Possibly the most important use of lattices occurs in Dorothy Denning's model 
for secure information flow. By means of a set of processes P, information is said 
to "flow” among objects in the set N. For example, when a message is transmitted 
from terminal a to terminal b, information "flows” between a and b. When an 
object updates a file, information "flows” between the two. In general, when any 
object invokes any of the processes in P, an information flow is created. In order to 
describe security measures formally in this context, we first postulate that a 
function f has been defined which assigns to each object a in N a security value 
f(a) in the set of security values SC. 

Next, we postulate that the system designer describes the security policy of 
the system by means of a set of ordered pairs Q in SC X SC. The security policy is 
simply this: 

If f(a) = A and/(6) = B , then information is allowed to flow from a to b if 

and only if the ordered pair ( A t B ) is in!2. 

This view of security seems to imply that, given the ordered pair ( A,B), the 
security value B is in some way "superior” to A since it would violate all our 
intuitive feelings to allow information of security value A to flow to an object of 
lesser security classification. This notion is easily developed as will be shown 
below. 

The set of ordered pairs Q C SC X SC is, of course, an example of a relation. 
There are several properties our intuition says Q ought to possess if the relation is 
to provide a realistic description of "secure information flow.” Certainly, there 
ought to be transitivity: if information can flow from AtoB and also from B to C, 
then it ought to be safe to allow the flow from A to C. In the context of ordered 
pairs, this says that if (A,B) and (B, C) are in Q, then so is (A,C). Also, if 
information can flow from A to B and B to A then A and B ought to be of equal 
weight or value. Consequently, we postulate antisymmetry. Further, it seems 
reasonable to postulate that if objects a\ and a<z both have security value A, then 
information can flow from a\ to a 2 - This, of course, says that the relation is 
reflexive. If we adopt the notation "A -+B” for (A,B), then, formally, we assume 

(i) A A for all A e SC 

(ii) A — ► B and B — > A if and only if A = B 

(iii) if A—* BandB— ► C, thenA— ► C 
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Thus, the set of security values SC, with respect to the relation is a partially 
ordered set. Without loss of generality we may assume that SC contains both a 
"greatest” member U and a "least” member L, i.e., for all A e SC 

L~* A and A~+ U. 

L corresponds to the classification of information available to all entities in the 
universe; information classified U is available only to the ruling elite. 

There is one additional problem the designer of a secure information flow 
system must solve. Suppose a process is able to generate a new information unit 
which is a function of the information contained in objects a\, 02 , ■ ■ . , a n . The 
problem is to decide what security value to assign the new element we shall call 

a* = g ( 01 , 02 , . . . ,a n ). 

For example, a* may be a report produced from data associated with 01 , 02 , . . . , a n 
and may be upgraded periodically. Our intuition says that f (a*) ought not to be 
inferior to f(ai) for any 1 ^ t = rt; symbolically, we desire 

f(ai)—*f(a*) 1 SSi£n. 

This implies that f (a*) is an upper bound for the set of elements 

{f( ai ) : 1 £ i £ n} 

in SC. In order to prevent overclassification, we would like to make f (a*) the 
"least” of the upper bounds. Consequently, we postulate that our set £2 satisfies 
the additional condition: 

For every A and B in SC, there exists C in SC such that 

(i) A — ► C and jB — * C 

(ii) if D e SC such that A — » D and B — » D, then C~+ D 

All the conditions we have placed on the set of ordered pairs 12 enable us to prove 
that SC is a lattice with respect to the relation — * . (Recall that the greatest lower 
bound of A and B is the least upper bound of the set of all elements F such that 
F —■ ► A and F—*B.) Note the order in which this characterization has evolved. We 
began with the collection of ordered pairs £2, specified by the system designer as 
the security policy. Reasonable constraints placed on £2 to satisfy our intuitive 
security concerns, when formalized, led to the mathematical characterization of 
SC as a lattice. 
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